1pam_ssh_agent_auth(8) PAM pam_ssh_agent_auth(8)
2
3
4
6 pam_ssh_agent_auth - PAM module for granting permissions based on SSH
7 agent requests
8
10 This module provides authentication via ssh-agent. If an ssh-agent
11 listening at SSH_AUTH_SOCK can successfully authenticate that it has
12 the secret key for a public key in the specified file, authentication
13 is granted, otherwise authentication fails.
14
16 /etc/pam.d/sudo: auth sufficient pam_ssh_agent_auth.so
17 file=/etc/security/authorized_keys
18 /etc/sudoers:
19 In older versions of sudo (< 1.8.5) it was necessary to set:
20 Defaults env_keep += "SSH_AUTH_SOCK"
21
22 This configuration would permit anyone who has an SSH_AUTH_SOCK that
23 manages the private key matching a public key in
24 /etc/security/authorized_keys to execute sudo without having to enter a
25 password. Note that the ssh-agent listening to SSH_AUTH_SOCK can either
26 be local, or forwarded.
27
28 Unlike NOPASSWD, this still requires an authentication, it's just that
29 the authentication is provided by ssh-agent, and not password entry.
30
32 file=<path to authorized_keys>
33 Specify the path to the authorized_keys file(s) you would like to
34 use for authentication. Subject to tilde and % EXPANSIONS (below)
35
36 allow_user_owned_authorized_keys_file
37 A flag which enables authorized_keys files to be owned by the
38 invoking user, instead of root. This flag is enabled automatically
39 whenever the expansions %h or ~ are used.
40
41 authorized_keys_command=<path to executable>
42 Specify an external command to run, which should take a single
43 argument, the username of the person being authenticated, and emit
44 to its stdout a file in authorized_keys format. This is ideally
45 suited for use with sssd's sss_ssh_authorizedkeys, for
46 authenticating users via authorized_keys stored in ldap or other
47 sssd supported security service.
48
49 authorized_keys_command_user=<username>
50 Specify a user to run the authorized_keys_command as. If this
51 option is not specified, the authorized_keys_command will be run as
52 the user being authenticated.
53
54 debug
55 A flag which enables verbose logging
56
57 sudo_service_name=<service name you compiled sudo to use>
58 (when compiled with --enable-sudo-hack)
59
60 Specify the service name to use to identify the service "sudo".
61 When the PAM_SERVICE identifier matches this string, and if
62 PAM_RUSER is not set, pam_ssh_agent_auth will attempt to identify
63 the calling user from the environment variable SUDO_USER.
64
65 This defaults to "sudo".
66
68 ~ -- same as in shells, a user's Home directory
69 Automatically enables allow_user_owned_authorized_keys_file if used
70 in the context of ~/. If used as ~user/, it would expect the file
71 to be owned by 'user', unless you explicitly set
72 allow_user_owned_authorized_keys_file
73
74 %h -- User's Home directory
75 Automatically enables allow_user_owned_authorized_keys_file
76
77 %H -- The short-hostname
78 %u -- Username
79 %f -- FQDN
80
82 in /etc/pam.d/sudo
83
84 "auth sufficient pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"
85 The default .ssh/authorized_keys file in a user's home-directory
86
87 "auth sufficient pam_ssh_agent_auth.so file=%h/.ssh/authorized_keys"
88 Same as above.
89
90 "auth sufficient pam_ssh_agent_auth.so file=~fred/.ssh/authorized_keys"
91 If the home-directory of user 'fred' was /home/fred, this would
92 expand to /home/fred/.ssh/authorized_keys. In this case, we have
93 not specified allow_user_owned_authorized_keys_file, so this file
94 must be owned by 'fred'.
95
96 "auth sufficient pam_ssh_agent_auth.so
97 file=/secure/%H/%u/authorized_keys
98 allow_user_owned_authorized_keys_file"
99 On a host named foobar.baz.com, and a user named fred, would expand
100 to /secure/foobar/fred/authorized_keys. In this case, we specified
101 allow_user_owned_authorized_keys_file, so fred would be able to
102 manage that authorized_keys file himself.
103
104 "auth sufficient pam_ssh_agent_auth.so
105 file=/secure/%f/%u/authorized_keys"
106 On a host named foobar.baz.com, and a user named fred, would expand
107 to /secure/foobar.baz.com/fred/authorized_keys. In this case, we
108 have not specified allow_user_owned_authorized_keys_file, so this
109 file must be owned by root.
110
112 Copyright (c) 2008-2014, Jamie Beverly.
113 And is based on openssh, and the included works by Markus Friedl, Darren Tucker,
114 Todd C. Miller, Ben Lindstrom, Tim Rice, Damien Miller, and many others.
115
116 All rights reserved.
117
118 See sources for complete attributions.
119
120 Redistribution and use in source and binary forms, with or without modification, are
121 permitted provided that the following conditions are met:
122
123 1. Redistributions of source code must retain the above copyright notice, this list of
124 conditions and the following disclaimer.
125
126 2. Redistributions in binary form must reproduce the above copyright notice, this list
127 of conditions and the following disclaimer in the documentation and/or other materials
128 provided with the distribution.
129
130 THIS SOFTWARE IS PROVIDED BY Jamie Beverly ``AS IS'' AND ANY EXPRESS OR IMPLIED
131 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
132 FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Jamie Beverly OR
133 CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
134 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
135 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
136 ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
137 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
138 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
139
140
141
142v0.8 2019-04-09 pam_ssh_agent_auth(8)